Security bug resolved in the Dropbox SDKs for Android

A few months ago, we patched a minor security vulnerability in our Android Core and Sync/Datastore SDKs. While most popular apps have already updated their Android SDKs, we’d like to ask all our Android developers to update their apps to use Core API Android SDK v1.6.3 or Sync/Datastore Android SDK v3.1.2.

For users to be affected by this vulnerability, they would’ve needed to:

Use an affected app on an Android device

Not have the Dropbox for Android app installed, and

Visit a specially-crafted malicious page with their Android web browser targeting that app, or have a malicious app installed on their phone

An attacker could then link their Dropbox account to a vulnerable third-party app on the victim’s device. This would then allow the attacker to capture new data a user saved to Dropbox via the vulnerable app.

Every app works differently, so many apps using the affected SDKs weren’t vulnerable at all or required additional factors to exploit. This vulnerability couldn’t give attackers access to any existing files in a user’s account, and users with the Dropbox app installed on their devices were never vulnerable. There are no reports or evidence to indicate the vulnerability was ever used to access user data.

We want to thank Roee Hay and Or Peles at IBM for discovering and responsibly disclosing this vulnerability. We take user security and privacy very seriously, and we continue to work closely with security researchers to keep our users safe.

If you have any questions or concerns please don’t hesitate to reach out.

Please note: Sometimes we blog about upcoming products or features before they’re released, but timing and exact functionality of these features may change from what’s shared here. The decision to purchase our services should be made based on features that are currently available.